git.prognetwork.ru/x0r/utls@v1.3.3/handshake_server.go (about) 1 // Copyright 2009 The Go Authors. All rights reserved. 2 // Use of this source code is governed by a BSD-style 3 // license that can be found in the LICENSE file. 4 5 package tls 6 7 import ( 8 "context" 9 "crypto" 10 "crypto/ecdsa" 11 "crypto/ed25519" 12 "crypto/rsa" 13 "crypto/subtle" 14 "crypto/x509" 15 "errors" 16 "fmt" 17 "hash" 18 "io" 19 "sync/atomic" 20 "time" 21 ) 22 23 // serverHandshakeState contains details of a server handshake in progress. 24 // It's discarded once the handshake has completed. 25 type serverHandshakeState struct { 26 c *Conn 27 ctx context.Context 28 clientHello *clientHelloMsg 29 hello *serverHelloMsg 30 suite *cipherSuite 31 ecdheOk bool 32 ecSignOk bool 33 rsaDecryptOk bool 34 rsaSignOk bool 35 sessionState *sessionState 36 finishedHash finishedHash 37 masterSecret []byte 38 cert *Certificate 39 } 40 41 // serverHandshake performs a TLS handshake as a server. 42 func (c *Conn) serverHandshake(ctx context.Context) error { 43 clientHello, err := c.readClientHello(ctx) 44 if err != nil { 45 return err 46 } 47 48 if c.vers == VersionTLS13 { 49 hs := serverHandshakeStateTLS13{ 50 c: c, 51 ctx: ctx, 52 clientHello: clientHello, 53 } 54 return hs.handshake() 55 } 56 57 hs := serverHandshakeState{ 58 c: c, 59 ctx: ctx, 60 clientHello: clientHello, 61 } 62 return hs.handshake() 63 } 64 65 func (hs *serverHandshakeState) handshake() error { 66 c := hs.c 67 68 if err := hs.processClientHello(); err != nil { 69 return err 70 } 71 72 // For an overview of TLS handshaking, see RFC 5246, Section 7.3. 73 c.buffering = true 74 if hs.checkForResumption() { 75 // The client has included a session ticket and so we do an abbreviated handshake. 76 c.didResume = true 77 if err := hs.doResumeHandshake(); err != nil { 78 return err 79 } 80 if err := hs.establishKeys(); err != nil { 81 return err 82 } 83 if err := hs.sendSessionTicket(); err != nil { 84 return err 85 } 86 if err := hs.sendFinished(c.serverFinished[:]); err != nil { 87 return err 88 } 89 if _, err := c.flush(); err != nil { 90 return err 91 } 92 c.clientFinishedIsFirst = false 93 if err := hs.readFinished(nil); err != nil { 94 return err 95 } 96 } else { 97 // The client didn't include a session ticket, or it wasn't 98 // valid so we do a full handshake. 99 if err := hs.pickCipherSuite(); err != nil { 100 return err 101 } 102 if err := hs.doFullHandshake(); err != nil { 103 return err 104 } 105 if err := hs.establishKeys(); err != nil { 106 return err 107 } 108 if err := hs.readFinished(c.clientFinished[:]); err != nil { 109 return err 110 } 111 c.clientFinishedIsFirst = true 112 c.buffering = true 113 if err := hs.sendSessionTicket(); err != nil { 114 return err 115 } 116 if err := hs.sendFinished(nil); err != nil { 117 return err 118 } 119 if _, err := c.flush(); err != nil { 120 return err 121 } 122 } 123 124 c.ekm = ekmFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random) 125 atomic.StoreUint32(&c.handshakeStatus, 1) 126 127 return nil 128 } 129 130 // readClientHello reads a ClientHello message and selects the protocol version. 131 func (c *Conn) readClientHello(ctx context.Context) (*clientHelloMsg, error) { 132 // clientHelloMsg is included in the transcript, but we haven't initialized 133 // it yet. The respective handshake functions will record it themselves. 134 msg, err := c.readHandshake(nil) 135 if err != nil { 136 return nil, err 137 } 138 clientHello, ok := msg.(*clientHelloMsg) 139 if !ok { 140 c.sendAlert(alertUnexpectedMessage) 141 return nil, unexpectedMessageError(clientHello, msg) 142 } 143 144 var configForClient *Config 145 originalConfig := c.config 146 if c.config.GetConfigForClient != nil { 147 chi := clientHelloInfo(ctx, c, clientHello) 148 if configForClient, err = c.config.GetConfigForClient(chi); err != nil { 149 c.sendAlert(alertInternalError) 150 return nil, err 151 } else if configForClient != nil { 152 c.config = configForClient 153 } 154 } 155 c.ticketKeys = originalConfig.ticketKeys(configForClient) 156 157 clientVersions := clientHello.supportedVersions 158 if len(clientHello.supportedVersions) == 0 { 159 clientVersions = supportedVersionsFromMax(clientHello.vers) 160 } 161 c.vers, ok = c.config.mutualVersion(roleServer, clientVersions) 162 if !ok { 163 c.sendAlert(alertProtocolVersion) 164 return nil, fmt.Errorf("tls: client offered only unsupported versions: %x", clientVersions) 165 } 166 c.haveVers = true 167 c.in.version = c.vers 168 c.out.version = c.vers 169 170 return clientHello, nil 171 } 172 173 func (hs *serverHandshakeState) processClientHello() error { 174 c := hs.c 175 176 hs.hello = new(serverHelloMsg) 177 hs.hello.vers = c.vers 178 179 foundCompression := false 180 // We only support null compression, so check that the client offered it. 181 for _, compression := range hs.clientHello.compressionMethods { 182 if compression == compressionNone { 183 foundCompression = true 184 break 185 } 186 } 187 188 if !foundCompression { 189 c.sendAlert(alertHandshakeFailure) 190 return errors.New("tls: client does not support uncompressed connections") 191 } 192 193 hs.hello.random = make([]byte, 32) 194 serverRandom := hs.hello.random 195 // Downgrade protection canaries. See RFC 8446, Section 4.1.3. 196 maxVers := c.config.maxSupportedVersion(roleServer) 197 if maxVers >= VersionTLS12 && c.vers < maxVers || testingOnlyForceDowngradeCanary { 198 if c.vers == VersionTLS12 { 199 copy(serverRandom[24:], downgradeCanaryTLS12) 200 } else { 201 copy(serverRandom[24:], downgradeCanaryTLS11) 202 } 203 serverRandom = serverRandom[:24] 204 } 205 _, err := io.ReadFull(c.config.rand(), serverRandom) 206 if err != nil { 207 c.sendAlert(alertInternalError) 208 return err 209 } 210 211 if len(hs.clientHello.secureRenegotiation) != 0 { 212 c.sendAlert(alertHandshakeFailure) 213 return errors.New("tls: initial handshake had non-empty renegotiation extension") 214 } 215 216 hs.hello.secureRenegotiationSupported = hs.clientHello.secureRenegotiationSupported 217 hs.hello.compressionMethod = compressionNone 218 if len(hs.clientHello.serverName) > 0 { 219 c.serverName = hs.clientHello.serverName 220 } 221 222 selectedProto, err := negotiateALPN(c.config.NextProtos, hs.clientHello.alpnProtocols) 223 if err != nil { 224 c.sendAlert(alertNoApplicationProtocol) 225 return err 226 } 227 hs.hello.alpnProtocol = selectedProto 228 c.clientProtocol = selectedProto 229 230 hs.cert, err = c.config.getCertificate(clientHelloInfo(hs.ctx, c, hs.clientHello)) 231 if err != nil { 232 if err == errNoCertificates { 233 c.sendAlert(alertUnrecognizedName) 234 } else { 235 c.sendAlert(alertInternalError) 236 } 237 return err 238 } 239 if hs.clientHello.scts { 240 hs.hello.scts = hs.cert.SignedCertificateTimestamps 241 } 242 243 hs.ecdheOk = supportsECDHE(c.config, hs.clientHello.supportedCurves, hs.clientHello.supportedPoints) 244 245 if hs.ecdheOk && len(hs.clientHello.supportedPoints) > 0 { 246 // Although omitting the ec_point_formats extension is permitted, some 247 // old OpenSSL version will refuse to handshake if not present. 248 // 249 // Per RFC 4492, section 5.1.2, implementations MUST support the 250 // uncompressed point format. See golang.org/issue/31943. 251 hs.hello.supportedPoints = []uint8{pointFormatUncompressed} 252 } 253 254 if priv, ok := hs.cert.PrivateKey.(crypto.Signer); ok { 255 switch priv.Public().(type) { 256 case *ecdsa.PublicKey: 257 hs.ecSignOk = true 258 case ed25519.PublicKey: 259 hs.ecSignOk = true 260 case *rsa.PublicKey: 261 hs.rsaSignOk = true 262 default: 263 c.sendAlert(alertInternalError) 264 return fmt.Errorf("tls: unsupported signing key type (%T)", priv.Public()) 265 } 266 } 267 if priv, ok := hs.cert.PrivateKey.(crypto.Decrypter); ok { 268 switch priv.Public().(type) { 269 case *rsa.PublicKey: 270 hs.rsaDecryptOk = true 271 default: 272 c.sendAlert(alertInternalError) 273 return fmt.Errorf("tls: unsupported decryption key type (%T)", priv.Public()) 274 } 275 } 276 277 return nil 278 } 279 280 // negotiateALPN picks a shared ALPN protocol that both sides support in server 281 // preference order. If ALPN is not configured or the peer doesn't support it, 282 // it returns "" and no error. 283 func negotiateALPN(serverProtos, clientProtos []string) (string, error) { 284 if len(serverProtos) == 0 || len(clientProtos) == 0 { 285 return "", nil 286 } 287 var http11fallback bool 288 for _, s := range serverProtos { 289 for _, c := range clientProtos { 290 if s == c { 291 return s, nil 292 } 293 if s == "h2" && c == "http/1.1" { 294 http11fallback = true 295 } 296 } 297 } 298 // As a special case, let http/1.1 clients connect to h2 servers as if they 299 // didn't support ALPN. We used not to enforce protocol overlap, so over 300 // time a number of HTTP servers were configured with only "h2", but 301 // expected to accept connections from "http/1.1" clients. See Issue 46310. 302 if http11fallback { 303 return "", nil 304 } 305 return "", fmt.Errorf("tls: client requested unsupported application protocols (%s)", clientProtos) 306 } 307 308 // supportsECDHE returns whether ECDHE key exchanges can be used with this 309 // pre-TLS 1.3 client. 310 func supportsECDHE(c *Config, supportedCurves []CurveID, supportedPoints []uint8) bool { 311 supportsCurve := false 312 for _, curve := range supportedCurves { 313 if c.supportsCurve(curve) { 314 supportsCurve = true 315 break 316 } 317 } 318 319 supportsPointFormat := false 320 for _, pointFormat := range supportedPoints { 321 if pointFormat == pointFormatUncompressed { 322 supportsPointFormat = true 323 break 324 } 325 } 326 // Per RFC 8422, Section 5.1.2, if the Supported Point Formats extension is 327 // missing, uncompressed points are supported. If supportedPoints is empty, 328 // the extension must be missing, as an empty extension body is rejected by 329 // the parser. See https://go.dev/issue/49126. 330 if len(supportedPoints) == 0 { 331 supportsPointFormat = true 332 } 333 334 return supportsCurve && supportsPointFormat 335 } 336 337 func (hs *serverHandshakeState) pickCipherSuite() error { 338 c := hs.c 339 340 preferenceOrder := cipherSuitesPreferenceOrder 341 if !hasAESGCMHardwareSupport || !aesgcmPreferred(hs.clientHello.cipherSuites) { 342 preferenceOrder = cipherSuitesPreferenceOrderNoAES 343 } 344 345 configCipherSuites := c.config.cipherSuites() 346 preferenceList := make([]uint16, 0, len(configCipherSuites)) 347 for _, suiteID := range preferenceOrder { 348 for _, id := range configCipherSuites { 349 if id == suiteID { 350 preferenceList = append(preferenceList, id) 351 break 352 } 353 } 354 } 355 356 hs.suite = selectCipherSuite(preferenceList, hs.clientHello.cipherSuites, hs.cipherSuiteOk) 357 if hs.suite == nil { 358 c.sendAlert(alertHandshakeFailure) 359 return errors.New("tls: no cipher suite supported by both client and server") 360 } 361 c.cipherSuite = hs.suite.id 362 363 for _, id := range hs.clientHello.cipherSuites { 364 if id == TLS_FALLBACK_SCSV { 365 // The client is doing a fallback connection. See RFC 7507. 366 if hs.clientHello.vers < c.config.maxSupportedVersion(roleServer) { 367 c.sendAlert(alertInappropriateFallback) 368 return errors.New("tls: client using inappropriate protocol fallback") 369 } 370 break 371 } 372 } 373 374 return nil 375 } 376 377 func (hs *serverHandshakeState) cipherSuiteOk(c *cipherSuite) bool { 378 if c.flags&suiteECDHE != 0 { 379 if !hs.ecdheOk { 380 return false 381 } 382 if c.flags&suiteECSign != 0 { 383 if !hs.ecSignOk { 384 return false 385 } 386 } else if !hs.rsaSignOk { 387 return false 388 } 389 } else if !hs.rsaDecryptOk { 390 return false 391 } 392 if hs.c.vers < VersionTLS12 && c.flags&suiteTLS12 != 0 { 393 return false 394 } 395 return true 396 } 397 398 // checkForResumption reports whether we should perform resumption on this connection. 399 func (hs *serverHandshakeState) checkForResumption() bool { 400 c := hs.c 401 402 if c.config.SessionTicketsDisabled { 403 return false 404 } 405 406 plaintext, usedOldKey := c.decryptTicket(hs.clientHello.sessionTicket) 407 if plaintext == nil { 408 return false 409 } 410 hs.sessionState = &sessionState{usedOldKey: usedOldKey} 411 ok := hs.sessionState.unmarshal(plaintext) 412 if !ok { 413 return false 414 } 415 416 createdAt := time.Unix(int64(hs.sessionState.createdAt), 0) 417 if c.config.time().Sub(createdAt) > maxSessionTicketLifetime { 418 return false 419 } 420 421 // Never resume a session for a different TLS version. 422 if c.vers != hs.sessionState.vers { 423 return false 424 } 425 426 cipherSuiteOk := false 427 // Check that the client is still offering the ciphersuite in the session. 428 for _, id := range hs.clientHello.cipherSuites { 429 if id == hs.sessionState.cipherSuite { 430 cipherSuiteOk = true 431 break 432 } 433 } 434 if !cipherSuiteOk { 435 return false 436 } 437 438 // Check that we also support the ciphersuite from the session. 439 hs.suite = selectCipherSuite([]uint16{hs.sessionState.cipherSuite}, 440 c.config.cipherSuites(), hs.cipherSuiteOk) 441 if hs.suite == nil { 442 return false 443 } 444 445 sessionHasClientCerts := len(hs.sessionState.certificates) != 0 446 needClientCerts := requiresClientCert(c.config.ClientAuth) 447 if needClientCerts && !sessionHasClientCerts { 448 return false 449 } 450 if sessionHasClientCerts && c.config.ClientAuth == NoClientCert { 451 return false 452 } 453 454 return true 455 } 456 457 func (hs *serverHandshakeState) doResumeHandshake() error { 458 c := hs.c 459 460 hs.hello.cipherSuite = hs.suite.id 461 c.cipherSuite = hs.suite.id 462 // We echo the client's session ID in the ServerHello to let it know 463 // that we're doing a resumption. 464 hs.hello.sessionId = hs.clientHello.sessionId 465 hs.hello.ticketSupported = hs.sessionState.usedOldKey 466 hs.finishedHash = newFinishedHash(c.vers, hs.suite) 467 hs.finishedHash.discardHandshakeBuffer() 468 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil { 469 return err 470 } 471 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil { 472 return err 473 } 474 475 if err := c.processCertsFromClient(Certificate{ 476 Certificate: hs.sessionState.certificates, 477 }); err != nil { 478 return err 479 } 480 481 if c.config.VerifyConnection != nil { 482 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { 483 c.sendAlert(alertBadCertificate) 484 return err 485 } 486 } 487 488 hs.masterSecret = hs.sessionState.masterSecret 489 490 return nil 491 } 492 493 func (hs *serverHandshakeState) doFullHandshake() error { 494 c := hs.c 495 496 if hs.clientHello.ocspStapling && len(hs.cert.OCSPStaple) > 0 { 497 hs.hello.ocspStapling = true 498 } 499 500 hs.hello.ticketSupported = hs.clientHello.ticketSupported && !c.config.SessionTicketsDisabled 501 hs.hello.cipherSuite = hs.suite.id 502 503 hs.finishedHash = newFinishedHash(hs.c.vers, hs.suite) 504 if c.config.ClientAuth == NoClientCert { 505 // No need to keep a full record of the handshake if client 506 // certificates won't be used. 507 hs.finishedHash.discardHandshakeBuffer() 508 } 509 if err := transcriptMsg(hs.clientHello, &hs.finishedHash); err != nil { 510 return err 511 } 512 if _, err := hs.c.writeHandshakeRecord(hs.hello, &hs.finishedHash); err != nil { 513 return err 514 } 515 516 certMsg := new(certificateMsg) 517 certMsg.certificates = hs.cert.Certificate 518 if _, err := hs.c.writeHandshakeRecord(certMsg, &hs.finishedHash); err != nil { 519 return err 520 } 521 522 if hs.hello.ocspStapling { 523 certStatus := new(certificateStatusMsg) 524 certStatus.response = hs.cert.OCSPStaple 525 if _, err := hs.c.writeHandshakeRecord(certStatus, &hs.finishedHash); err != nil { 526 return err 527 } 528 } 529 530 keyAgreement := hs.suite.ka(c.vers) 531 skx, err := keyAgreement.generateServerKeyExchange(c.config, hs.cert, hs.clientHello, hs.hello) 532 if err != nil { 533 c.sendAlert(alertHandshakeFailure) 534 return err 535 } 536 if skx != nil { 537 if _, err := hs.c.writeHandshakeRecord(skx, &hs.finishedHash); err != nil { 538 return err 539 } 540 } 541 542 var certReq *certificateRequestMsg 543 if c.config.ClientAuth >= RequestClientCert { 544 // Request a client certificate 545 certReq = new(certificateRequestMsg) 546 certReq.certificateTypes = []byte{ 547 byte(certTypeRSASign), 548 byte(certTypeECDSASign), 549 } 550 if c.vers >= VersionTLS12 { 551 certReq.hasSignatureAlgorithm = true 552 certReq.supportedSignatureAlgorithms = supportedSignatureAlgorithms() 553 } 554 555 // An empty list of certificateAuthorities signals to 556 // the client that it may send any certificate in response 557 // to our request. When we know the CAs we trust, then 558 // we can send them down, so that the client can choose 559 // an appropriate certificate to give to us. 560 if c.config.ClientCAs != nil { 561 certReq.certificateAuthorities = c.config.ClientCAs.Subjects() 562 } 563 if _, err := hs.c.writeHandshakeRecord(certReq, &hs.finishedHash); err != nil { 564 return err 565 } 566 } 567 568 helloDone := new(serverHelloDoneMsg) 569 if _, err := hs.c.writeHandshakeRecord(helloDone, &hs.finishedHash); err != nil { 570 return err 571 } 572 573 if _, err := c.flush(); err != nil { 574 return err 575 } 576 577 var pub crypto.PublicKey // public key for client auth, if any 578 579 msg, err := c.readHandshake(&hs.finishedHash) 580 if err != nil { 581 return err 582 } 583 584 // If we requested a client certificate, then the client must send a 585 // certificate message, even if it's empty. 586 if c.config.ClientAuth >= RequestClientCert { 587 certMsg, ok := msg.(*certificateMsg) 588 if !ok { 589 c.sendAlert(alertUnexpectedMessage) 590 return unexpectedMessageError(certMsg, msg) 591 } 592 593 if err := c.processCertsFromClient(Certificate{ 594 Certificate: certMsg.certificates, 595 }); err != nil { 596 return err 597 } 598 if len(certMsg.certificates) != 0 { 599 pub = c.peerCertificates[0].PublicKey 600 } 601 602 msg, err = c.readHandshake(&hs.finishedHash) 603 if err != nil { 604 return err 605 } 606 } 607 if c.config.VerifyConnection != nil { 608 if err := c.config.VerifyConnection(c.connectionStateLocked()); err != nil { 609 c.sendAlert(alertBadCertificate) 610 return err 611 } 612 } 613 614 // Get client key exchange 615 ckx, ok := msg.(*clientKeyExchangeMsg) 616 if !ok { 617 c.sendAlert(alertUnexpectedMessage) 618 return unexpectedMessageError(ckx, msg) 619 } 620 621 preMasterSecret, err := keyAgreement.processClientKeyExchange(c.config, hs.cert, ckx, c.vers) 622 if err != nil { 623 c.sendAlert(alertHandshakeFailure) 624 return err 625 } 626 hs.masterSecret = masterFromPreMasterSecret(c.vers, hs.suite, preMasterSecret, hs.clientHello.random, hs.hello.random) 627 if err := c.config.writeKeyLog(keyLogLabelTLS12, hs.clientHello.random, hs.masterSecret); err != nil { 628 c.sendAlert(alertInternalError) 629 return err 630 } 631 632 // If we received a client cert in response to our certificate request message, 633 // the client will send us a certificateVerifyMsg immediately after the 634 // clientKeyExchangeMsg. This message is a digest of all preceding 635 // handshake-layer messages that is signed using the private key corresponding 636 // to the client's certificate. This allows us to verify that the client is in 637 // possession of the private key of the certificate. 638 if len(c.peerCertificates) > 0 { 639 // certificateVerifyMsg is included in the transcript, but not until 640 // after we verify the handshake signature, since the state before 641 // this message was sent is used. 642 msg, err = c.readHandshake(nil) 643 if err != nil { 644 return err 645 } 646 certVerify, ok := msg.(*certificateVerifyMsg) 647 if !ok { 648 c.sendAlert(alertUnexpectedMessage) 649 return unexpectedMessageError(certVerify, msg) 650 } 651 652 var sigType uint8 653 var sigHash crypto.Hash 654 if c.vers >= VersionTLS12 { 655 if !isSupportedSignatureAlgorithm(certVerify.signatureAlgorithm, certReq.supportedSignatureAlgorithms) { 656 c.sendAlert(alertIllegalParameter) 657 return errors.New("tls: client certificate used with invalid signature algorithm") 658 } 659 sigType, sigHash, err = typeAndHashFromSignatureScheme(certVerify.signatureAlgorithm) 660 if err != nil { 661 return c.sendAlert(alertInternalError) 662 } 663 } else { 664 sigType, sigHash, err = legacyTypeAndHashFromPublicKey(pub) 665 if err != nil { 666 c.sendAlert(alertIllegalParameter) 667 return err 668 } 669 } 670 671 signed := hs.finishedHash.hashForClientCertificate(sigType, sigHash, hs.masterSecret) 672 if err := verifyHandshakeSignature(sigType, pub, sigHash, signed, certVerify.signature); err != nil { 673 c.sendAlert(alertDecryptError) 674 return errors.New("tls: invalid signature by the client certificate: " + err.Error()) 675 } 676 677 if err := transcriptMsg(certVerify, &hs.finishedHash); err != nil { 678 return err 679 } 680 } 681 682 hs.finishedHash.discardHandshakeBuffer() 683 684 return nil 685 } 686 687 func (hs *serverHandshakeState) establishKeys() error { 688 c := hs.c 689 690 clientMAC, serverMAC, clientKey, serverKey, clientIV, serverIV := 691 keysFromMasterSecret(c.vers, hs.suite, hs.masterSecret, hs.clientHello.random, hs.hello.random, hs.suite.macLen, hs.suite.keyLen, hs.suite.ivLen) 692 693 var clientCipher, serverCipher any 694 var clientHash, serverHash hash.Hash 695 696 if hs.suite.aead == nil { 697 clientCipher = hs.suite.cipher(clientKey, clientIV, true /* for reading */) 698 clientHash = hs.suite.mac(clientMAC) 699 serverCipher = hs.suite.cipher(serverKey, serverIV, false /* not for reading */) 700 serverHash = hs.suite.mac(serverMAC) 701 } else { 702 clientCipher = hs.suite.aead(clientKey, clientIV) 703 serverCipher = hs.suite.aead(serverKey, serverIV) 704 } 705 706 c.in.prepareCipherSpec(c.vers, clientCipher, clientHash) 707 c.out.prepareCipherSpec(c.vers, serverCipher, serverHash) 708 709 return nil 710 } 711 712 func (hs *serverHandshakeState) readFinished(out []byte) error { 713 c := hs.c 714 715 if err := c.readChangeCipherSpec(); err != nil { 716 return err 717 } 718 719 // finishedMsg is included in the transcript, but not until after we 720 // check the client version, since the state before this message was 721 // sent is used during verification. 722 msg, err := c.readHandshake(nil) 723 if err != nil { 724 return err 725 } 726 clientFinished, ok := msg.(*finishedMsg) 727 if !ok { 728 c.sendAlert(alertUnexpectedMessage) 729 return unexpectedMessageError(clientFinished, msg) 730 } 731 732 verify := hs.finishedHash.clientSum(hs.masterSecret) 733 if len(verify) != len(clientFinished.verifyData) || 734 subtle.ConstantTimeCompare(verify, clientFinished.verifyData) != 1 { 735 c.sendAlert(alertHandshakeFailure) 736 return errors.New("tls: client's Finished message is incorrect") 737 } 738 739 if err := transcriptMsg(clientFinished, &hs.finishedHash); err != nil { 740 return err 741 } 742 743 copy(out, verify) 744 return nil 745 } 746 747 func (hs *serverHandshakeState) sendSessionTicket() error { 748 // ticketSupported is set in a resumption handshake if the 749 // ticket from the client was encrypted with an old session 750 // ticket key and thus a refreshed ticket should be sent. 751 if !hs.hello.ticketSupported { 752 return nil 753 } 754 755 c := hs.c 756 m := new(newSessionTicketMsg) 757 758 createdAt := uint64(c.config.time().Unix()) 759 if hs.sessionState != nil { 760 // If this is re-wrapping an old key, then keep 761 // the original time it was created. 762 createdAt = hs.sessionState.createdAt 763 } 764 765 var certsFromClient [][]byte 766 for _, cert := range c.peerCertificates { 767 certsFromClient = append(certsFromClient, cert.Raw) 768 } 769 state := sessionState{ 770 vers: c.vers, 771 cipherSuite: hs.suite.id, 772 createdAt: createdAt, 773 masterSecret: hs.masterSecret, 774 certificates: certsFromClient, 775 } 776 stateBytes, err := state.marshal() 777 if err != nil { 778 return err 779 } 780 m.ticket, err = c.encryptTicket(stateBytes) 781 if err != nil { 782 return err 783 } 784 785 if _, err := hs.c.writeHandshakeRecord(m, &hs.finishedHash); err != nil { 786 return err 787 } 788 789 return nil 790 } 791 792 func (hs *serverHandshakeState) sendFinished(out []byte) error { 793 c := hs.c 794 795 if err := c.writeChangeCipherRecord(); err != nil { 796 return err 797 } 798 799 finished := new(finishedMsg) 800 finished.verifyData = hs.finishedHash.serverSum(hs.masterSecret) 801 if _, err := hs.c.writeHandshakeRecord(finished, &hs.finishedHash); err != nil { 802 return err 803 } 804 805 copy(out, finished.verifyData) 806 807 return nil 808 } 809 810 // processCertsFromClient takes a chain of client certificates either from a 811 // Certificates message or from a sessionState and verifies them. It returns 812 // the public key of the leaf certificate. 813 func (c *Conn) processCertsFromClient(certificate Certificate) error { 814 certificates := certificate.Certificate 815 certs := make([]*x509.Certificate, len(certificates)) 816 var err error 817 for i, asn1Data := range certificates { 818 if certs[i], err = x509.ParseCertificate(asn1Data); err != nil { 819 c.sendAlert(alertBadCertificate) 820 return errors.New("tls: failed to parse client certificate: " + err.Error()) 821 } 822 } 823 824 if len(certs) == 0 && requiresClientCert(c.config.ClientAuth) { 825 c.sendAlert(alertBadCertificate) 826 return errors.New("tls: client didn't provide a certificate") 827 } 828 829 if c.config.ClientAuth >= VerifyClientCertIfGiven && len(certs) > 0 { 830 opts := x509.VerifyOptions{ 831 Roots: c.config.ClientCAs, 832 CurrentTime: c.config.time(), 833 Intermediates: x509.NewCertPool(), 834 KeyUsages: []x509.ExtKeyUsage{x509.ExtKeyUsageClientAuth}, 835 } 836 837 for _, cert := range certs[1:] { 838 opts.Intermediates.AddCert(cert) 839 } 840 841 chains, err := certs[0].Verify(opts) 842 if err != nil { 843 c.sendAlert(alertBadCertificate) 844 return errors.New("tls: failed to verify client certificate: " + err.Error()) 845 } 846 847 c.verifiedChains = chains 848 } 849 850 c.peerCertificates = certs 851 c.ocspResponse = certificate.OCSPStaple 852 c.scts = certificate.SignedCertificateTimestamps 853 854 if len(certs) > 0 { 855 switch certs[0].PublicKey.(type) { 856 case *ecdsa.PublicKey, *rsa.PublicKey, ed25519.PublicKey: 857 default: 858 c.sendAlert(alertUnsupportedCertificate) 859 return fmt.Errorf("tls: client certificate contains an unsupported public key of type %T", certs[0].PublicKey) 860 } 861 } 862 863 if c.config.VerifyPeerCertificate != nil { 864 if err := c.config.VerifyPeerCertificate(certificates, c.verifiedChains); err != nil { 865 c.sendAlert(alertBadCertificate) 866 return err 867 } 868 } 869 870 return nil 871 } 872 873 func clientHelloInfo(ctx context.Context, c *Conn, clientHello *clientHelloMsg) *ClientHelloInfo { 874 supportedVersions := clientHello.supportedVersions 875 if len(clientHello.supportedVersions) == 0 { 876 supportedVersions = supportedVersionsFromMax(clientHello.vers) 877 } 878 879 return &ClientHelloInfo{ 880 CipherSuites: clientHello.cipherSuites, 881 ServerName: clientHello.serverName, 882 SupportedCurves: clientHello.supportedCurves, 883 SupportedPoints: clientHello.supportedPoints, 884 SignatureSchemes: clientHello.supportedSignatureAlgorithms, 885 SupportedProtos: clientHello.alpnProtocols, 886 SupportedVersions: supportedVersions, 887 Conn: c.conn, 888 config: c.config, 889 ctx: ctx, 890 } 891 }